יום ראשון, 10 בנובמבר 2013

Cisco ACI - Security Challenges key notes

"Cisco’s
ACI delivers centralized application-driven policy automation and management
of, and visibility into, both physical and virtual environments as a single
system. It is optimized to support an “application anywhere” model, with
complete freedom of application movement and placement. This novel approach
empowers IT teams to offer cloud-based services to their customers directly,
with the associated service-level agreements (SLAs) and performance
requirements for the most demanding business applications".

Cisco
ACI Architecture brings new challenges to security Domain in the Data Cetner.

In
this short blog I will try to address some of the security challenge face the
insieme group responsible to develop the
ACI.

Automation

With
ACI solution cisco aim solve the slowness of the IT department, By automation
the way application deployed in the datacenter.

To
deploy new application ACI will use "application profile", this profile
contain all the detail need from network perspective like: vlan connectivity, routing, computing,
storage and security. Same analogy to
service-profile in UCS world.

Let's
take for example deployment of SharePoint application with ACI.

IS
security policy for internal SharePoint or external internet SharePoint is the
same?

Different
application will need different custom security policy.

APIC
- Control Plane

The
APIC will use control plane protocol to be able talk with other entities. APIC
will needs to provision, configure and measure for health status check.

There
must be strong authentication method for new devices to connect to APIC control
plane, the connection must be secured with very strong and fast encryption.

Attacking
the APIC

One
of the most common attack methods to take down public service is
DDoS-distributed denial-of-service attack attack.

The
APIC will need to be able have internal mechanism to protect himself from this
form of attack.

Compromise
of the APIC

APIC
is the heart of ACI architecture, one of the biggest threats to all ACI
architecture is unauthorized access or compromise of the APIC that control the
entire entities.

The
OS of the APIC will need to be build from harden custom kernel instead of public Linux kernel with minimum
open services.

The
ip address for access to APIC need to narrow for few specific management IP's

Northbound interfaces API

One
of the key of ACI is the ability of Third-party application to be able to
communicate with APIC. Northbound Interface allows Cloud management system like
openstack or cloupia to program and Orchestration the APIC.

what
if an attacker manages to inject a malicious script into a third-party solution
which returns that script in an API response that you are handling

ארכיון הבלוג

My Info

Over a 12 years of experience around data center technologies focus on network and security solutions for global enterprises.A highly motivated and enthusiastic MSc graduate hold a wide range of industry leading Certificates, I'm able to demonstrate strong team-working skills and experience in various fields.

Currently focused on solutions incorporating VMware NSX with various cloud platforms deployed on VMware infrastructure.